Annual Report to Parliament on the Privacy Act
Canada Border Services Agency 2019 to 2020

Table of contents

• Chapter 1: Privacy Act report
  • Introduction
  • Organization
    • I. About the Canada Border Services Agency
    • II. Information sharing, access to information and chief privacy office
  • Activities and accomplishments
    • I. Performance
    • II. Education and training
    • III. New and revised privacy-related policies and procedures
    • IV. Reading room
    • V. Audits of, and investigations into the privacy practices of the Canada Border Services Agency
    • VI. Privacy impact assessments
  • Disclosures made pursuant to paragraph 8(2)(e) of the Privacy Act
  • Disclosures made pursuant to paragraph 8(2)(m) of the Privacy Act
  • Delegation order
• Chapter 2: Statistical report
  • Statistical report on the Privacy Act
  • Interpretation of the statistical report
    • I. Requests received and completed under the Privacy Act
    • II. Completion time
    • III. Extensions
    • IV. Consultations received from other institutions and organizations
    • V. Completion time of consultations on Cabinet confidences
    • VI. Complaints and investigations
    • VII. Privacy breaches
    • VIII. COVID-19: Impact on the CBSA information sharing, access to information and chief privacy office
    • IX. Conclusion
• Annex A: Delegation order
• Annex B: Statistical report
• Annex C: Supplemental statistical report—Request affected by COVID-19 measures

Chapter 1: Privacy Act report

Introduction

The Canada Border Services Agency (CBSA) is pleased to present to Parliament, in accordance with section 72 of the Privacy Act, its annual report on the management of this Act. The report describes the activities that support compliance with the Privacy Act for the fiscal year commencing April 1, 2019, and ending March 31, 2020. During this period, the CBSA continued to build on successful practices implemented in previous years.

The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information. ^{Footnote 1}

As stated in subsections 72(1) and 72(2) of the Privacy Act, "Every year the head of every government institution shall prepare a report on the administration of this Act within the institution during the period beginning on April 1 of the preceding year and ending on March 31 of the current year.… Every report prepared under subsection (1) shall be laid before each House of Parliament on any of the first 15 days on which that House is sitting after September 1 of the year in which the report is prepared." ^{Footnote 2}

Organization

I. About the Canada Border Services Agency

The CBSA has been, since 2003, an integral part of the Public Safety Canada (PS) portfolio, which was created to protect Canadians and maintain a peaceful and safe society. The Agency is responsible for providing integrated border services that support national security and public safety priorities and facilitate the free flow of persons and goods, including animals and plants, that meet all requirements under the program legislation.^{Footnote 3}

The CBSA carries out its responsibilities with a workforce of approximately 14,000 employees, including over 6,500 uniformed CBSA officers who provide services at approximately 1,200 points across Canada and at 39 international locations. ^{Footnote 4}

II. Information sharing, access to information and chief privacy office

The Information Sharing, Access to Information and Chief Privacy (ISATICP) Office is comprised of 6 units: an Administration section, 3 Case Management units, and 2 Policy units. The Administration section’s function is to receive all incoming requests and consultations, to ensure quality control of all outgoing correspondence, and to support the Case Management units in their day-to-day business. The Case Management units assign branches and regions with retrieval requests, process requests under the Privacy Act, and provide daily operational guidance and support to CBSA employees. The ATIP Policy and Governance Unit develops policies, tools, and procedures to support ATIP requirements within the CBSA and provides training to employees. The Information Sharing and Collaborative Arrangement Policy Unit maintains the policy framework for the CBSA’s information-sharing and domestic written collaborative arrangements. On average, 81 full-time equivalents, and 7 part-time, casual and student employees were employed in the ISATICP Office during fiscal year 2019 to 2020.

The ATIP coordinator for the CBSA is the Executive Director of the ISATICP Office. The ISATICP Office is part of the Chief Data Office, which reports to the Vice-President (VP) of the Strategic Policy Branch. Consistent with best practices identified by the Treasury Board of Canada Secretariat (TBS), ^{Footnote 5} the CBSA's ATIP coordinator is positioned within 3 levels of the President and has full delegated authority, reporting directly to the Chief Data Officer, who in turn reports to the VP of the Strategic Policy Branch.

Key to maintaining compliance with the statutory time requirements of the Privacy Act is the ISATICP Office’s ability to obtain personal information from branches and regions in a timely and reliable manner. Supported by a network of 19 ATIP liaison officers across the CBSA, the ISATICP Office is well-positioned to receive, coordinate, and process requests for personal information under the Privacy Act.

The ISATICP Office works closely with other members of the PS portfolio, including the Canadian Security Intelligence Service, the Correctional Service of Canada, the Parole Board of Canada, and the Royal Canadian Mounted Police, to share best practices and develop streamlined processes for the retrieval of jointly held records within the 30-day legislated time frame required to respond to privacy requests.

Activities and accomplishments

I. Performance

Fiscal year 2019 to 2020 saw record high volumes of privacy requests made to the CBSA. The record volumes are largely attributable to individuals seeking copies of their history of arrival dates into Canada. In fiscal year 2019 to 2020, 81.8% of all the privacy requests received by the CBSA came from individuals seeking their Traveller History Report (THR), which contains information used to support residency requirements for programs administered by Immigration, Refugees and Citizenship Canada (IRCC) and Employment and Social Development Canada (ESDC).

In September 2012, IRCC, in consultation with the CBSA, introduced a new consent-based application form which sees applicants for citizenship provide consent on their applications for IRCC to view their travel history directly. The CBSA has allocated 100 accounts to the IRCC to verify (view only) clients’ THR to Canada. IRCC has since viewed approximately 1.55 million THR, of which 295,352 were in fiscal year 2019 to 2020, that might otherwise have been requested formally through the CBSA by way of formal Privacy Act, or Access to Information Act requests.

The CBSA continued to see high volumes of privacy requests submitted through the Access to Information and Privacy Online Request tool. Through this tool, the Agency received 11,876 requests, which amounted to 84.2% of all privacy requests received by the CBSA.

The CBSA continued to offer the electronic format for responses to privacy requests. Although electronic format made up only 11.6%, these requests accounted for 84.2% of all the pages the CBSA disclosed in their entirety or disclosed in part this fiscal year.

The ISATICP Office also provided case-by-case policy guidance to CBSA program areas related to the disclosure of information under section 8 of the Privacy Act and section 107 of the Customs Act. In total, the ISATICP Office received 1,817 requests for guidance in fiscal year 2019 to 2020, representing an increase of 2.2% over the previous year.

The CBSA ISATICP Office is one of the largest and busiest in all of government. Our staff are committed professionals who operate daily with large workloads and in a fast-paced environment which is why we are committed to offering a well-managed healthy environment, with staff well-being as an extremely important aspects for the CBSA ISATICP Office.

Being an agency with information stored across the country as well as internationally, the use of electronic filing systems has become increasingly important. With this in mind, the office has transitioned to an entirely paperless environment. Adding remote access capability to the new paperless environment enabled us to continue a telework schedule that allows our employees the option to work from home. The results have been remarkable with the best on-time performance within the legislated timeframe in the history of the CBSA despite record high volumes of requests received.

Finally, as per Section 73.1 of the Privacy Act, the CBSA ISATICP Office has not provided services related to any power, duty or function conferred or imposed on the CBSA under this Act to another government institution that is under the responsibility of the Minister of Public Safety and Emergency Preparedness and has not receive such services from any other such government institution.

II. Education and training

In fiscal year 2019 to 2020, the ISATICP Office continued to conduct bilingual training sessions that supported the implementation of streamlined processing procedures and built an awareness of ATIP obligations. These sessions are designed to ensure that the participants fully understand their responsibilities under the Privacy Act, with a focus on requests made pursuant to the Act and the duty-to-assist principles. Sixteen sessions were offered, with 235 National Capital Region (NCR) and regional employees taking part.

CBSA employees also took advantage of the free online course entitled "Managing Information at the Canada Border Services Agency and the Access to Information Act and the Privacy Act." This one-hour online course was designed to provide employees with the basic principles for effectively managing information in their daily work. After completing this course, employees will have acquired the knowledge to better identify various types of information, learned how requests under the Access to Information Act and the Privacy Act are handled, and learned about their responsibilities throughout the process. A total of 685 participants completed the online training in fiscal year 2019 to 2020.

Moreover, the ISATICP Office delivered 12 in-class training sessions on section 107 of the Customs Act, as well as basic information-sharing, disclosure of intelligence-related information, and business line-specific training sessions to 183 employees in the NCR and across the regions. In addition, before attending the in-class training, employees are advised to complete the interactive online training course, regarding information sharing that was developed by the ISATICP Office.

Further, the ISATICP Office developed a communications plan to raise employees’ awareness of their obligations under the Privacy Act. The plan leverages key dates, such as Data Privacy Day, and other activities at the CBSA to promote ATIP tools, resources, and awareness.

Finally, the ISATICP Office continues to actively participate in the TBS-led ATIP coordinators’ and ATIP practitioners’ meetings. These meetings provide opportunities for employees of the CBSA ISATICP Office to liaise with employees from other institutions to discuss various issues and challenges that have been identified by the ATIP community.

III. New and revised privacy-related policies and procedures

During fiscal year 2019 to 2020, the CBSA continued to revise existing policies and to develop new ones.

The ISATICP Office has continued to take a number of measures to enhance and promote ATIP tools that are readily accessible to CBSA employees by utilizing Apollo (GCDocs). To this end, we are able to ensure that the ISATICP Office intranet site is up to date and available to all CBSA employees. This allows the ISATICP Office to quickly share information and best practices and to facilitate collaboration across the Agency.

The CBSA continued to see a rise in ATIP related audio/video redacting requests. In response to this growth, the ISATICP Office has continued to take measures to respond to these requests in a timely manner by installing additional redaction stations and new software that facilitate our redaction capacity within the ISATICP Office.

It should also be noted that as part of an Innovation Solutions Canada challenge initiative, the ISATICP Office, in partnership with the Chief Transformation Officer Branch and the Information, Science and Technology Branch, is currently involved in a project allowing private companies to introduce applied concept for the redaction of video recording, a solution that will allow video and audio recordings to be automatically processed. This year, the ISATICP Office has provided assistance in the testing and the evaluation on this new software. Once available, this software will be promoted as the solution for processing video and audio recordings for the entirety of the Government of Canada.

This year, the CBSA continued to be an active and key participant in the Privacy Act Modernization working group, which has helped establish the CBSA’s position on the modernization of this Act. The CBSA believes that a modernized Act should facilitate the government work while continuing to respect individuals’ privacy rights and the Canadian Charter of Rights and Freedom. The CBSA will continue to develop policy options, and to work on transition advice, alongside the Department of Justice, in the modernization of the Privacy Act.

The second annual report to the Minister of Public Safety and Emergency Preparedness on the application of the Order in Council to the CBSA: Avoiding Complicity in Mistreatment by Foreign Entities, was issued to the CBSA President, and subsequently presented to the Minister in March 2020.

The ISATICP Office continued to provide the service of informally reviewing CBSA records for internal programs as if they had been requested under the Privacy Act. The ISATICP Office received 160 internal requests of this nature in fiscal year 2019 to 2020.

The ISATICP Office closely monitors the time it takes to process privacy requests. Monthly reports, which show trends and performance, are submitted to the Assistant Directors of the Case Management units, to the Executive Director of the ISATICP Office, and to the Chief Data Officer. Monthly reports consisting of statistics on the performance of the offices of primary interest are also distributed to all ATIP liaison officers. Finally, quarterly trend reports portraying the overall performance of the Agency are reviewed and discussed during meetings of the Agency’s Executive Committee ^{Footnote 6} and are included in the Agency Performance Summary.

IV. Reading room

The CBSA, in accordance with the Privacy Act, maintains a reading room for applicants who wish to review material in person at the CBSA. Applicants may access the reading room by contacting the CBSA’s ISATICP office by telephone at 343-291-7021 or by sending an email to atip-aiprp@cbsa-asfc.gc.ca. The reading room is located at:

Place Vanier Complex
14th flr Tower A
333 North River Rd
Ottawa ON  K1A 0L8

V. Audits of, and investigations into the privacy practices of the Canada Border Services Agency

Between 2019 and 2020, the ISATICP Office underwent a review by the CBSA Internal Audit and Program Evaluation Directorate concerning the Management of Privacy Breaches at the CBSA. The review was completed in fiscal year 2019 to 2020 and the recommendations are as follows:

Recommendation 1: The Vice-President (VP), Strategic Policy Branch (SPB), should implement improved tracking of privacy breach management (such as a case management software) and additional measures to promote accountability for the expectations and timelines set out in the Privacy Breach Protocol.

Management response 1: The SPB is in agreement with this recommendation and will work to promote accountability and expectations and improve how the branch is tracking privacy breaches.

Recommendation 2: The VP, SPB, as part of monitoring and reporting on the privacy management program, should conduct regular analysis of privacy breaches (including trend analysis of types, locations, root causes etc.) and evolve Agency privacy practices as required. This information should also be used to identify where Office of Primary Interests may need to implement additional controls and to review the effectiveness of remediation measures.

Management response 2: The SPB is in agreement with this recommendation. The SPB will conduct regular analysis of privacy breaches and evolve Agency privacy practices. In addition, the SPB will use this information to identify where additional controls need to be implemented and will review the effectiveness of these remediation measures.

Recommendation 3: The VP, SPB, should develop a risk-based strategy to identify and assess areas that are most susceptible to privacy breaches and work with the information owners to ensure appropriate controls are in place and functioning to protect the personal information.

Management response 3: The SPB is in agreement with this recommendation. SPB will conduct a risk-based assessment of Agency personal information holdings to identify areas that are most susceptible to privacy breaches. The SPB will also work with the information owners to provide advice to ensure that appropriate controls are in place and are functioning to protect the personal information.

VI. Privacy Impact Assessments

In fiscal year 2019 to 2020, the CBSA completed 3 Privacy Impact Assessments (PIA). They were all sent to the Office of the Privacy Commissioner of Canada and TBS for review and comments.

The 3 PIAs completed by the CBSA are:

• NEXUS
• CANPASS
• Radio frequency identification-enabled document data (RFID)

Full executive summaries of these PIAs are available.

NEXUS

NEXUS is a bi-national Canada-United States (U.S.) program managed by the CBSA and U.S. Customs and Border Protection (CBP). The Trusted Traveller Programs Unit of the Travellers Programs at the CBSA is the Office of Primary Interest for NEXUS.

NEXUS allows customs and immigration border clearance processes to be streamlined for pre-approved, low-risk travellers, and permits the CBSA and the U.S. CBP to allocate their resources more effectively at the border. Membership is 5 years and provides expedited border clearance into Canada and the U.S. in the land, air and marine travel modes. In 2002, the NEXUS program was delivered in a travel mode specific format, beginning with the NEXUS Highway Program. Subsequently in 2006, the NEXUS suite of programs was harmonized to provide members with expedited travel privileges in all 3 travel modes (land, air and marine). NEXUS members use dedicated lanes in the highway mode, self-serve kiosks in the air mode and report through the Telephone Reporting Centres in the marine mode.

CANPASS

This Umbrella PIA includes all activities relating to the collection, storage and use of personal information by the CBSA as it relates to the CANPASS suite of programs (CANPASS Corporate Air, CANPASS Private Air, CANPASS Air and CANPASS Private Boats ), the Commercial Driver Registration Program (CDRP) and the Pilot Project for Travellers in Remote Areas: Quebec (PPTRA-Q). These Trusted Traveller Programs (TTPs) store personal information in similar databases whereby CANPASS Corporate Air, Private Air, Private Boats and CDRP all use the Canadian Processing Centre System and PPTRA-Q and CANPASS Air use the Global Enrolment Component.

The CANPASS suite of programs is a suite of voluntary TTPs in the air and marine modes offered by the CBSA to expedite the border clearance process for frequent, pre-approved, low risk travellers arriving in Canada. A separate application form is required for each applicant and CANPASS program. The existing CANPASS Corporate Air and CANPASS Private Air programs are open to Canadian and U.S. citizens and permanent residents who meet the program eligibility criteria.

Radio frequency identification-enabled document data

This PIA replaces the PIA submitted in December 2008 entitled Enhanced Driver’s Licence (EDL) and Enhanced Identification Card (EIC) Program: Use of EDL data by the CBSA, which is a collaborative program between the CBSA and 3 participating provinces: Ontario, Manitoba and British Columbia. A fourth province, Quebec, also initially participated but discontinued the availability of a Quebec Enhanced Driver’s Licence (EDL) to new applicants in October 2014. Quebec EDLs currently in circulation will remain active until they expire, and as such, are out for scope for this addendum. These provinces earlier agreed to make available enhanced documents (such as a Driver’s Licence or an Identification Card) that meet the requirements of the Western Hemisphere Travel Initiative, allowing Canadian citizens to use the identification to facilitate land or water travel between Canada and the U.S.

Disclosures made pursuant to paragraph 8(2)(e) of the Privacy Act

During the 2019 to 2020 fiscal year, 1,066 disclosures pursuant to paragraph 8(2)(e) of the Privacy Act were made by the CBSA.

Disclosures made pursuant to paragraph 8(2)(m) of the Privacy Act

During the 2019 to 2020 fiscal year, the CBSA made no disclosure pursuant to paragraph 8(2)(m) of the Privacy Act.

Delegation order

Refer to Annex A for a signed copy of the delegation order.

Chapter 2: Statistical report

Statistical report on the Privacy Act

Refer to Annex B for the CBSA's statistical report on the Privacy Act.

Interpretation of the statistical report

I. Requests received and completed under the Privacy Act

The CBSA received 14,102 privacy requests in fiscal year 2019 to 2020, which was an increase of 4.9% over the previous year. Moreover, the CBSA responded to 13,866 Privacy Act requests, representing 91% of the total Number of requests received and outstanding from the previous reporting period. Of the 1,365 requests carried over to fiscal year 2020 to 2021, 1,016 were on time and 349 were late. Finally, the CBSA processed 547,551 pages under the Privacy Act.

For the past 5 years, the CBSA has consistently been among the top government departments in terms of workload. While receiving a substantial Number of requests each year, the CBSA has been able to maintain and improve upon its performance in a year which has seen its greatest Number of requests ever received.

II. Completion time

Of all the requests completed, the CBSA was successful in responding to 98.5% within the legislated timelines, an increase from the 97.9% achieved last fiscal year.

III. Extensions

In total, 910 extensions were applied for in fiscal year 2019 to 2020. This represents a decrease of 23.8% in extensions in comparison to the previous fiscal year, and this despite an increase in the volume of requests received. Extensions were applied 98.5% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with the CBSA operations. The remaining 1.5% of the time was for consulting with third parties or other government institutions, or for additional time for translation purposes or for the purposes of converting the personal information into an alternative format.

IV. Consultations received from other institutions and organizations

Between 2019 and 2020, the CBSA completed 80 consultation requests from other government institutions and organizations. This represents a decreased of 21.6% in comparison to the previous fiscal year. However, in order to respond to these requests, 34,810 pages were reviewed, an increase of more than 820.7% from the previous fiscal year.

V. Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult their legal services to determine if requested information should be excluded. If there is any doubt or if the records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

Between 2019 and 2020 the CBSA did not consulted CBSA Legal services regarding Cabinet confidence exclusions, due to the fact that requesters are excluding Cabinet confidences from their requests.

VI. Complaints and investigations

Subsection 29(1) of the Privacy Act describes how the Office of the Privacy Commissioner of Canada (OPC) receives and investigates complaints from individuals regarding their personal information held by a government institution. Examples of complaints the OPC may choose to investigate include a refusal of access to personal information; an allegation that personal information about an individual that is held by a government institution has been misused or wrongfully disclosed; or failure to provide access to personal information in the official language requested by the individual.

Throughout fiscal year 2019 to 2020, 59 Privacy Act complaints were filed against the CBSA, which represents a decrease of 7.8% compared to fiscal year 2018 to 2019. The reason most cited for complaints was the refusal to disclose information. The complaints received during the fiscal year were related to the following issues: time delay (17); refusal to disclose (18); application of exemptions (14); use and disclosure (2); collection (2); extension (2); and miscellaneous (4). For context, the number of complaints filed relate to only 0.4% of the 13,866 privacy requests completed during this period.

Of the 86 complaints completed in fiscal year 2019 to 2020, 47 were deemed well-founded, and 21 were deemed not well-founded. Additionally, 15 complaints were resolved; 2 were discontinued; and one was settled. Where complaints are substantiated, the matter is reviewed by the delegated managers and processes are adjusted if required.

VII. Privacy breaches

There were no material privacy breaches reported during fiscal year 2019 to 2020.

VIII. COVID-19: Impact on the CBSA information sharing, access to information and chief privacy office

The CBSA Information Sharing, Access to Information and Chief Privacy (ISATICP) Office continued to work effectively as we were, prior to COVID-19, since the office already had remote access capability which enabled us to continue to work from home.

Between March 14 and March 31, 2020, the CBSA ISATICP Office received 524 Privacy Act requests, which relate to only 3.7% of the 14,102 access to information requests received between 2019 and 2020.

During the same period, the CBSA ISATICP Office closed a total of 312 Privacy Act requests, of which 288 (92.3%) were closed within the legislative timeliness, and 24 (7.7%) were closed past the legislative timelines, thereby maintaining continued strong legislative compliance.

Finally, in accordance with TBS guidelines, the Agency implemented interim measures for processing Privacy Act requests due to COVID-19. Since paper records were not accessible, the ISATICP Office contacted each requester for new and outstanding requests to offer that they limit their request to electronic records, thereby making them retrievable remotely. This new measure was very well received by requesters.

IX. Conclusion

The achievements portrayed in this report reflect the CBSA’s commitment to ensuring that every reasonable effort is made to meet its obligations under the Privacy Act. The CBSA strives to provide Canadians with their personal information to which they have a right in a timely and helpful manner while protecting the privacy rights of all Canadians.

Annex A: Delegation order

Ministerial Order
Access to Information Act and Privacy Act

Pursuant to section 73 of the Access to Information Act^{Footnote 1} and section 73 of the Privacy Act^{Footnote 2}, I hereby designate the persons holding the positions set out in the schedule hereto, or a person authorized to exercise the powers or perform the duties and functions of that position, to exercise or perform the powers, duties and functions of the Minister of Public Safety and Emergency Preparedness as the head of the Canada Border Services Agency under the provisions of the Act and related regulations set out in the schedule opposite each position.

This Order replaces previous designation orders and comes into force on the date on which it is signed.

Dated at Ottawa, Province of Ontario, this 27th day of January, 2020.

The Honourable Bill Blair, P.C., C.O.M., M.P.
Minister of Public Safety and Emergency Preparedness

Annex B: Statistical report on the Privacy Act

Name of institution: Canada Border Services Agency

Reporting period: 2019-04-01 to 2020-03-31

Section 1: Requests under the Privacy Act

Section 2: Requests closed during the reporting period

2.5 Complexity

2.6 Closed requests

2.7 Deemed refusals

Section 3: Disclosures under subsection 8(2) and 8(5)

Section 4: Requests for correction of personal information and notations

Section 5: Extensions

Section 6: Consultations received from other institutions and organizations

Section 7: Completion time of consultations on Cabinet confidences

Section 8: Complaints and investigations notices received

Section 9: Privacy impact assessments and personal information banks

Section 10: Material privacy breaches

Section 11: Resources Related to the Privacy Act

Annex C: Supplemental statistical report—Request affected by COVID-19 measures

The following table reports the total number of formal requests received during 2 periods: April 1, 2019 to March 13, 2020 and March 14, 2020 to March 31, 2020.

The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during 2 periods: April 1, 2019 to March 13, 2020 and March 14, 2020 to March 31, 2020.

The following table reports the total number of requests carried over during 2 periods: April 1, 2019 to March 13, 2020 and March 14, 2020 to March 31, 2020.

Date modified:

2020-10-20